Authenticated XSS Vulnerability in WP Statistics

Introduction

A few days ago the awesome folks over at Sucuri found a SQL Injection vulnerability in the popular WP Statistics WordPress Plugin, currently installed on over 300,000 websites. We wanted to check our existing toolsets would have detected the vulnerability so that we could ensure that Dewhurst Security clients were not affected by similar issues. During this process we identified the Authenticated Reflected Cross-Site Scripting (XSS) vulnerability we discuss below. This vulnerability was responsibly disclosed to the vendor who patched the issue and released a new version in the same day.

Description

Version 12.0.8.1 and below of the WP Statistics WordPress Plugin was found to be vulnerable to Authenticated Reflected Cross-Site Scripting (XSS). The ‘ip’ GET parameter on the ‘wps_visitors_page’ page is output to a page without first being validated, sanitised or output encoded. This leads to Authenticated Reflected Cross-Site Scripting (XSS), which could allow attackers to compromise a WordPress application by tricking an authenticated administrator user into clicking on a specially crafted link.

Please note that other potential instances of Authenticated XSS were identified, however, were protected by Cross-Site Request Forgery (CSRF) nonces.

Affected Software

Technical Description:

Source: On line 28 of the includes/log/last-visitor.php file, the $_GET['ip'] is placed within the $_get variable.

Sink: On line 74 of the includes/log/last-visitor.php file, the $_get variable is output in the PHP echo() function.

Proof of Concept (PoC):

Click on the following link in the Firefox browser:
http://mywordpress.com/wp-admin/admin.php?page=wps_visitors_page&ip=%27%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E%3C%22

A fully weaponised XSS exploit was created that used the WordPress Theme Editor to insert a PHP backdoor into a WordPress site. The weaponised XSS payload has not been supplied with this advisory, however, it is trivial to create.